BSE has issued guidelines requiring all registered Application Service Providers (ASPs) to conduct and submit periodic System Audit, Cyber Security Audit, and Vulnerability Assessment and Penetration Testing (VAPT) on a yearly basis. The audits cover the audit period 1st April to 31st March, with audit reports due by 30th June and Action Taken Reports (ATRs) due by 30th September each year.

Key Points

• All registered ASPs must conduct periodic system audits of their Non-Exchange Trading Frontend and security controls.
• Cyber Security Audit and VAPT assessments are required annually to strengthen cybersecurity resilience against incidents and attacks.
• Three audit types are mandated: System Audit Report, Cyber Audit Report, and VAPT Report — all covering the period 1st April to 31st March.
• Audit reports must be submitted on or before 30th June; Action Taken Reports (if applicable) must be submitted on or before 30th September.
• All audit reports must be approved by the Managing Director, Director, CTO, or CISO before submission.
• Detailed guidelines, formats, and Terms of Reference (TOR) are provided via seven annexures (A through G).

Regulatory Changes

No new regulatory framework is introduced; this notice consolidates and reiterates existing cybersecurity compliance obligations for ASP vendors, aligning with SEBI’s Cyber Security and Cyber Resilience Framework (SEBI CSCRF). Formats for VAPT audit reports and auditor declarations are now standardized per SEBI CSCRF requirements.

Compliance Requirements

• Registered ASP vendors must select auditors per the norms in Annexure A.
• System Audit and Cyber Audit reports must follow formats in Annexure B and Annexure C respectively.
• VAPT audit submissions must include: Auditor’s Declaration (Annexure D) and VAPT Summary Report (Annexure E).
• System Audit must follow the Terms of Reference (TOR) in Annexure F; Cyber Audit must follow TOR in Annexure G.
• All three audit reports require sign-off from MD/Director/CTO/CISO before submission to BSE.
• Contact for queries: trading.app@bseindia.com / mscopr@bseindia.com; Phone: 022-22725116/5873/8926/5376.

Important Dates

• Audit Period: 1st April to 31st March (annual)
• Audit Report Submission Deadline: On or before 30th June
• Action Taken Report (ATR) Submission Deadline: On or before 30th September

Impact Assessment

This circular directly impacts registered ASP vendors providing trading frontend services on BSE. It imposes structured, time-bound audit obligations with standardized formats and escalated approval requirements (MD/CTO/CISO sign-off). Non-compliance could result in regulatory action against the ASP’s registration status. The broader market impact is limited as this targets infrastructure providers rather than trading members or investors directly; however, it strengthens the cybersecurity posture of the trading ecosystem.